Blind XSS in Apple School- Enrollment Data Disclosure
.
2 min readJul 5, 2021
Hello!
I’am Hackrzvijay
I have found blind xss in apple school during october 2020..
Reproduction Steps:
During researching apple i have found one subdomain school.apple.com
In the enrollment form i have added my xss hunter payload multiple times which was created by iammandatory
After adding the payload the enrollment data has fired in my xss hunter within 5 to 10 seconds.
Nearly 420 records have been disclosed at the time of research but large number is possible in real time if continuously payload is added.
Above is the data and below is the proof that my xsshunter payload has executed.